From 5325ee97787392f4084651f3a71ae7761257144c Mon Sep 17 00:00:00 2001
From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com>
Date: Fri, 11 Jul 2025 11:04:57 -0700
Subject: [PATCH 1/2] restore top level audit logging in server default log4j
 (#1124)

* restore top level audit logging in server default log4j

* Update server/embedded/src/main/resources/log4j2.xml

Co-authored-by: Trey Chadick <tchad@labkey.com>

---------

Co-authored-by: Trey Chadick <tchad@labkey.com>
---
 server/embedded/src/main/resources/log4j2.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/embedded/src/main/resources/log4j2.xml b/server/embedded/src/main/resources/log4j2.xml
index e88f9f3dd2..8472de6826 100644
--- a/server/embedded/src/main/resources/log4j2.xml
+++ b/server/embedded/src/main/resources/log4j2.xml
@@ -300,9 +300,9 @@
             <AppenderRef ref="QUERY_STATS"/>
         </Logger>
 
-        <!-- <Logger name="org.labkey.audit.event" level="INFO">
+        <Logger name="org.labkey.audit.event" level="OFF">
             <AppenderRef ref="LABKEY_AUDIT"/>
-        </Logger> -->
+        </Logger>
 
         <!--
           Other audit event types include, but are not limited to:

From 544bef98f2f899f2f6195fa3fcc87d5e92482c0f Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Mon, 14 Jul 2025 15:24:44 -0700
Subject: [PATCH 2/2] Update a couple dependencies (#1125)

---
 dependencyCheckSuppression.xml | 22 ++++++++++++++++++++++
 gradle.properties              |  4 ++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 0ec7e51890..423ec9f23d 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -226,4 +226,26 @@
         <packageUrl regex="true">^pkg:maven/org\.postgresql/postgresql@.*$</packageUrl>
         <vulnerabilityName>CVE-2025-49146</vulnerabilityName>
     </suppress>
+
+    <!-- Currently no update is available for the old commons-lang component, so we must suppress. -->
+    <suppress>
+       <notes><![CDATA[
+       file name: commons-lang-2.6.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/commons-lang/commons-lang@.*$</packageUrl>
+       <vulnerabilityName>CVE-2025-48924</vulnerabilityName>
+    </suppress>
+    
+    <!--
+    GSON is getting flagged for "Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker 
+    to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of
+    uncontrolled recursion." Seems like a case of mistaken identity, so suppress it.
+    -->
+    <suppress>
+       <notes><![CDATA[
+       file name: gson-2.8.9.jar
+       ]]></notes>
+       <packageUrl regex="true">^pkg:maven/com\.google\.code\.gson/gson@.*$</packageUrl>
+       <vulnerabilityName>CVE-2025-53864</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
index e50b5a045b..28f5f3cba4 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -99,7 +99,7 @@ apacheDirectoryVersion=2.1.7
 apacheMinaVersion=2.2.4
 
 # Usually matches the version specified as a Spring Boot dependency (see springBootVersion below)
-apacheTomcatVersion=10.1.42
+apacheTomcatVersion=10.1.43
 
 # (mothership) -> json-path -> json-smart -> accessor-smart
 # (core) -> graalvm
@@ -130,7 +130,7 @@ commonsDbcpVersion=1.4
 commonsDigesterVersion=1.8.1
 commonsDiscoveryVersion=0.2
 commonsIoVersion=2.18.0
-commonsLang3Version=3.17.0
+commonsLang3Version=3.18.0
 commonsLangVersion=2.6
 commonsLoggingVersion=1.3.4
 commonsMath3Version=3.6.1